Category Archives: confidentiality

Holly Towle wrote an excellent article on the boilerplate contract language issues that might now exist in your contract language. Read the article… consider the issues… review your templates. Make some changes. Of course, you can always just call me and I’d be happy to review your contracts for you. 😉

These are the discussions that happened around the web this week – maybe you already read about them, maybe you need to again. Come join the party on twitter (follow me here and you’ll participate in the conversation live.)

I also realized that many of you might have no idea what you’re seeing below. Sorry. These are “tweets”, 140 maximum character messages sent via Twitter. Within the Twitterverse individual users follow others and have followers (think of it like overlapping Venn diagram circles). To read a tweet, you have to wade through a bit of jargon used to make the most of the 140 character limitation. “RT” for example, is shorthand for “Re-tweet” and the @____ is the username of some other individual on Twitter. Combined together, then, “RT @_____” means that someone else wrote a tweet that I found important and I now want to forward along to my followers. The URL’s are then also shortened by shortening services like bit.ly to make the most of the character limitation, too. Lastly, you might see “hash” identifiers “#______” which are ways to tag tweets of a particular flavor for easy searching later and “<” which means that I am commenting on what came before it.

The things that happened around the web this week – maybe you already read about them, maybe you need to again.

I also realized that many of you might have no idea what you’re seeing below. Sorry. These are “tweets”, 140 maximum character messages sent via Twitter. Within the Twitterverse individual users follow others and have followers (think of it like overlapping Venn diagram circles). To read a tweet, you have to wade through a bit of jargon used to make the most of the 140 character limitation. “RT” for example, is shorthand for “Re-tweet” and the @____ is the username of some other individual on Twitter. Combined together, then, “RT @_____” means that someone else wrote a tweet that I found important and I now want to forward along to my followers. The URL’s are then also shortened by shortening services like bit.ly to make the most of the character limitation, too. Lastly, you might see “hash” identifiers “#______” which are ways to tag tweets of a particular flavor for easy searching later and “<” which means that I am commenting on what came before it.

When dealing with confidential information, one of the key areas of concern is where information that would otherwise be considered confidential loses its protection. In most contracts, there are four situations where confidential information ceases to be confidential information and can be released. Information that:

was in the public domain prior to, at the time of, or subsequently to disclosure;

was in the lawful possession by recipient prior to disclosure and was not already covered by a confidentiality provision;

is subsequently acquired by recipient through lawful means from a third party who is not under an obligation of confidentiality; or,

is subsequently developed by recipient without use of or reference to the confidential information.

For these four items, information that was confidential now is not.

There’s a fifth reason which would allow for disclosure, but I argue, shouldn’t change the nature of the information from confidential to non-confidential: disclosure pursuant to court order or legal process.

In this fifth scenario, we’re talking about a situation where a court of competent jurisdiction orders the release of information, usually to the court, as part of a judicial (or extra-judicial, like arbitration) process. The information is going to be disclosed because of it’s probative value – that simply because it’s confidential doesn’t mean that the court shouldn’t consider it as part of whatever is the subject of the litigation.

But that doesn’t mean that I want that information to change status to non-confidential information. Rather, what I want is to keep that information confidential even AFTER the judicial review. This is possible through the use of protective orders and other legal procedures. But if your contracts say that a judicial process will change the information’s status to non-confidential, a single well-strategized lawsuit can unintentionally release a lot of otherwise-confidential information into the public domain.

The best way to handle this is to make sure that your confidentiality provisions clearly segment release of confidential information pursuant to a court order from the other four reasons by which confidential information becomes non-confidential. Additionally, include language that requires the disclosing party (the one responding to the court order) to:

Notify the owner of the confidential information that such court order is being pursued/followed/responded to.

Reasonably assist the owner of the confidential information in obtaining any available legal protections.

Only disclose the specific confidential information requested by the court order (not just hand over everything).

When Clear announced their intent to terminate operations, the big question was: “What’s going to happen to each users’ private data (things like, um, fingerprints and background checks)?”

Now we know. They intend to SELL IT! This is why I harp on making sure that you have the proper provisions in your contract(s) for confidentiality, indemnification, information security and limitation of liability

To Clear’s credit, they are saying that they’re going to continue to comply with their pre-existing privacy policy – and that the data can only be sold to another TSA-approved traveler program. But what if that program is run by an organization you wouldn’t want to have your personal details?*

Interestingly enough, however, this violates the terms of that agreement (as it existed when I pulled it from flyclear.com on June 29, 2009) – boldings are mine:

3. ADDITIONAL LIMITATIONS ON APPLICANT AND MEMBER PERSONAL INFORMATION
A. We do not sell or give lists or compilations of the personal information of our members or applicants to any business or non-profit organization. We do not provide member or applicant personal information to any affiliated or non-affiliated organizations for marketing.
B. None of the information that we collect may be used for any purpose outside the operation and maintenance of the Clear Services.
C. We would only disclose personal information about members or applicants if required to do so by law or legal process.

The termination of operation might be considered a “legal process” – but the way the language is written, 3.C. would not be valid as a result of the company’s dissolution. Thus, they’re limited to 3.A. – which clearly states that they won’t sell the information to “any business.” I wonder what the chance is now that they’ll only sell it to someone who’s TSA-approved.

*Not that the government doesn’t now already have your information as a result of the background check. I’m just sayin’.

Meanwhile, Google is busy blaming it on the user (italics are mine): “We’ve identified and fixed a bug which may have caused you to share some of your documents without your knowledge.”

Yeah, Lifehacker, this isn’t minor. It never is. Especially to those individuals who have data that was shared without knowledge. Oh, and C-Net, you shouldn’t downplay this either – so while mentioning that lost laptops are a security risk, too, it doesn’t do anything to resolve the issue at hand.

Look folks, any breach of privacy, especially in a SaaS/cloud-computing environment is a HUGE problem. Shore up your contracts today, please (confidentiality, IP indemnification, and exclusions for breach of confidentiality in your limitation of liability language). Need help doing it? Just give me a shout.